Merge commit '75a5b16f208bb639ce8eb379adb125bd4cab3230' into release

milliHQ · Jun 7, 2022 · c0a605d · c0a605d
2 parents 0963ca5 + 75a5b16
commit c0a605d
Show file tree

Hide file tree

Showing 8 changed files with 188 additions and 46 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,13 @@
 
 ## [Unreleased]
 
+## [1.0.0-canary.3] - 2022-06-07
+
+- Fixes deployments without Lambdas ([#325](https://github.com/milliHQ/terraform-aws-next-js/pull/325))
+- Use CloudFormation role ([#324](https://github.com/milliHQ/terraform-aws-next-js/pull/324))
+- Improve CLI ([#323](https://github.com/milliHQ/terraform-aws-next-js/pull/323))
+- Fix runtime bundle ([#322](https://github.com/milliHQ/terraform-aws-next-js/pull/322))
+
 ## [1.0.0-canary.2] - 2022-05-31
 
 - Adds static prefix to files served from S3 ([#321](https://github.com/milliHQ/terraform-aws-next-js/pull/321))

diff --git a/README.md b/README.md
@@ -217,7 +217,7 @@ For building and deploying Next.js apps to the system we created a CLI tool call
 It is a npm package that can be installed with:
 
 ```sh
-npm i -g tf-next
+npm i -g tf-next@canary
 ```
 
 Next, we need to build the Next.js so that it can run in a serverless environment (with AWS Lambda).

diff --git a/main.tf b/main.tf
@@ -84,6 +84,109 @@ resource "aws_dynamodb_table" "deployments" {
     projection_type    = "INCLUDE"
     non_key_attributes = ["CreateDate", "DeploymentAlias", "DeploymentId", "Status"]
   }
+
+  tags = var.tags
+}
+
+#####################
+# CloudFormation Role
+#####################
+
+# Policy that controls which actions can be performed when CloudFormation
+# creates a substack (from CDK)
+data "aws_iam_policy_document" "cloudformation_permission" {
+  # Allow CloudFormation to publish status changes to the SNS queue
+  statement {
+    effect = "Allow"
+    actions = [
+      "sns:Publish"
+    ]
+    resources = [module.deploy_controller.sns_topic_arn]
+  }
+
+  # Allow CloudFormation to access the lambda content
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:GetObject"
+    ]
+    resources = [
+      module.statics_deploy.static_bucket_arn,
+      "${module.statics_deploy.static_bucket_arn}/*"
+    ]
+  }
+
+  # Stack creation
+  statement {
+    effect = "Allow"
+    actions = [
+      # TODO: Restrict the API Gateway action more
+      "apigateway:*",
+      "iam:CreateRole",
+      "iam:GetRole",
+      "iam:GetRolePolicy",
+      "iam:PassRole",
+      "iam:PutRolePolicy",
+      "iam:TagRole",
+      "lambda:AddPermission",
+      "lambda:CreateFunction",
+      "lambda:CreateFunctionUrlConfig",
+      "lambda:GetFunctionUrlConfig",
+      "lambda:GetFunction",
+      "lambda:TagResource",
+      "logs:CreateLogGroup",
+      "logs:PutRetentionPolicy",
+      "logs:TagLogGroup"
+    ]
+    resources = ["*"]
+  }
+
+  # Stack deletion
+  statement {
+    effect = "Allow"
+    actions = [
+      "apigateway:*",
+      "iam:DeleteRole",
+      "iam:DeleteRolePolicy",
+      "iam:UntagRole",
+      "lambda:DeleteFunction",
+      "lambda:DeleteFunctionUrlConfig",
+      "lambda:RemovePermission",
+      "lambda:UntagResource",
+      "logs:DeleteLogGroup",
+      "logs:DeleteRetentionPolicy",
+      "logs:UntagLogGroup"
+    ]
+    resources = ["*"]
+  }
+}
+
+data "aws_iam_policy_document" "cloudformation_permission_assume_role" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudformation.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "cloudformation_permission" {
+  name        = "${var.deployment_name}_cf-control"
+  description = "Managed by Terraform Next.js"
+  policy      = data.aws_iam_policy_document.cloudformation_permission.json
+
+  tags = var.tags
+}
+
+resource "aws_iam_role" "cloudformation_permission" {
+  name               = "${var.deployment_name}_cf-control"
+  assume_role_policy = data.aws_iam_policy_document.cloudformation_permission_assume_role.json
+  managed_policy_arns = [
+    aws_iam_policy.cloudformation_permission.arn
+  ]
 }
 
 ###################
@@ -122,9 +225,16 @@ module "statics_deploy" {
   deploy_status_sns_topic_arn = module.deploy_controller.sns_topic_arn
 
   dynamodb_region                 = data.aws_region.current.name
+  dynamodb_table_aliases_arn      = aws_dynamodb_table.aliases.arn
+  dynamodb_table_aliases_name     = aws_dynamodb_table.aliases.id
   dynamodb_table_deployments_arn  = aws_dynamodb_table.deployments.arn
   dynamodb_table_deployments_name = aws_dynamodb_table.deployments.id
 
+  cloudformation_role_arn = aws_iam_role.cloudformation_permission.arn
+
+  enable_multiple_deployments      = var.enable_multiple_deployments
+  multiple_deployments_base_domain = var.multiple_deployments_base_domain
+
   lambda_role_permissions_boundary = var.lambda_role_permissions_boundary
 
   deployment_name = var.deployment_name

diff --git a/modules/api/main.tf b/modules/api/main.tf
@@ -35,6 +35,19 @@ data "aws_iam_policy_document" "access_upload_bucket" {
   }
 }
 
+# Initiate deletion of CloudFormation stacks
+data "aws_iam_policy_document" "delete_cloudformation_stack" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "cloudformation:DeleteStack"
+    ]
+    resources = [
+      "arn:aws:cloudformation:*:*:stack/*/*"
+    ]
+  }
+}
+
 module "lambda" {
   source = "../lambda-worker"
 
@@ -49,10 +62,11 @@ module "lambda" {
   memory_size   = 128
 
   attach_policy_jsons    = true
-  number_of_policy_jsons = 2
+  number_of_policy_jsons = 3
   policy_jsons = [
     data.aws_iam_policy_document.access_dynamodb_tables.json,
     data.aws_iam_policy_document.access_upload_bucket.json,
+    data.aws_iam_policy_document.delete_cloudformation_stack.json,
   ]
 
   environment_variables = {
@@ -129,8 +143,7 @@ data "aws_iam_policy_document" "access_api" {
 }
 
 resource "aws_iam_policy" "access_api" {
-  name = "api-access"
-  path = "/${var.deployment_name}/"
+  name = "${var.deployment_name}_api-access"
 
   description = "Managed by Terraform Next.js"
 

diff --git a/modules/deploy-controller/main.tf b/modules/deploy-controller/main.tf
@@ -36,7 +36,8 @@ data "aws_iam_policy_document" "access_dynamodb_tables" {
       "dynamodb:GetItem",
       "dynamodb:PutItem",
       "dynamodb:Query",
-      "dynamodb:UpdateItem"
+      "dynamodb:UpdateItem",
+      "dynamodb:DeleteItem"
     ]
     resources = [
       var.dynamodb_table_deployments_arn,

diff --git a/modules/proxy/variables.tf b/modules/proxy/variables.tf
@@ -4,7 +4,7 @@
 
 variable "proxy_module_version" {
   type    = string
-  default = "1.0.0-canary.2"
+  default = "1.0.0-canary.3"
 }
 
 variable "lambda_default_runtime" {

diff --git a/modules/statics-deploy/main.tf b/modules/statics-deploy/main.tf
@@ -112,46 +112,20 @@ data "aws_iam_policy_document" "access_static_deploy" {
     resources = [var.cloudfront_arn]
   }
 
-  # Permissions for CloudFormation to create resources
+  # Create new substacks from CDK templates
   statement {
     actions = [
-      "apigateway:*",
-      "cloudformation:CreateStack",
-      "iam:CreateRole",
-      "iam:DeleteRole",
-      "iam:DeleteRolePolicy",
-      "iam:GetRole",
-      "iam:GetRolePolicy",
-      "iam:PassRole",
-      "iam:PutRolePolicy",
-      "iam:TagRole",
-      "iam:UntagRole",
-      "lambda:AddPermission",
-      "lambda:CreateFunction",
-      "lambda:DeleteFunction",
-      "lambda:CreateFunctionUrlConfig",
-      "lambda:GetFunctionUrlConfig",
-      "lambda:GetFunction",
-      "lambda:RemovePermission",
-      "lambda:TagResource",
-      "lambda:UntagResource",
-      "logs:CreateLogGroup",
-      "logs:DeleteLogGroup",
-      "logs:DeleteRetentionPolicy",
-      "logs:PutRetentionPolicy",
-      "logs:TagLogGroup",
-      "logs:UntagLogGroup",
+      "cloudformation:CreateStack"
     ]
     resources = ["*"]
   }
 
-  # Allow CloudFormation to publish status changes to the SNS queue
+  # Allow to pass the cloudfront role to the cloudformation stack
   statement {
-    effect = "Allow"
     actions = [
-      "sns:Publish"
+      "iam:PassRole"
     ]
-    resources = [var.deploy_status_sns_topic_arn]
+    resources = [var.cloudformation_role_arn]
   }
 }
 
@@ -179,7 +153,10 @@ data "aws_iam_policy_document" "access_dynamodb_table_deployments" {
       "dynamodb:PutItem",
       "dynamodb:UpdateItem"
     ]
-    resources = [var.dynamodb_table_deployments_arn]
+    resources = [
+      var.dynamodb_table_aliases_arn,
+      var.dynamodb_table_deployments_arn
+    ]
   }
 }
 
@@ -254,13 +231,17 @@ module "deploy_trigger" {
   ]
 
   environment_variables = {
-    NODE_ENV               = "production"
-    TARGET_BUCKET          = aws_s3_bucket.static_deploy.id
-    DISTRIBUTION_ID        = var.cloudfront_id
-    SQS_QUEUE_URL          = aws_sqs_queue.this.id
-    DEPLOY_STATUS_SNS_ARN  = var.deploy_status_sns_topic_arn
-    TABLE_REGION           = var.dynamodb_region
-    TABLE_NAME_DEPLOYMENTS = var.dynamodb_table_deployments_name
+    NODE_ENV                = "production"
+    TARGET_BUCKET           = aws_s3_bucket.static_deploy.id
+    DISTRIBUTION_ID         = var.cloudfront_id
+    SQS_QUEUE_URL           = aws_sqs_queue.this.id
+    DEPLOY_STATUS_SNS_ARN   = var.deploy_status_sns_topic_arn
+    TABLE_REGION            = var.dynamodb_region
+    TABLE_NAME_ALIASES      = var.dynamodb_table_aliases_name
+    TABLE_NAME_DEPLOYMENTS  = var.dynamodb_table_deployments_name
+    CLOUDFORMATION_ROLE_ARN = var.cloudformation_role_arn
+    # Remove the * from the base domain (e.g. *.example.com -> .example.com)
+    MULTI_DEPLOYMENTS_BASE_DOMAIN = var.enable_multiple_deployments ? replace(var.multiple_deployments_base_domain, "/^\\*/", "") : null
   }
 
   event_source_mapping = {

diff --git a/modules/statics-deploy/variables.tf b/modules/statics-deploy/variables.tf
@@ -1,6 +1,6 @@
 variable "deploy_trigger_module_version" {
   type    = string
-  default = "1.0.0-canary.2"
+  default = "1.0.0-canary.3"
 }
 
 variable "cloudfront_id" {
@@ -18,6 +18,28 @@ variable "lambda_role_permissions_boundary" {
   default = null
 }
 
+################
+# CloudFormation
+################
+
+variable "cloudformation_role_arn" {
+  description = "Role ARN that should be assigned to the CloudFormation substacks created by CDK."
+  type        = string
+}
+
+######################
+# Multiple deployments
+######################
+
+variable "enable_multiple_deployments" {
+  type = bool
+}
+
+variable "multiple_deployments_base_domain" {
+  type    = string
+  default = null
+}
+
 #####################
 # Deployment database
 #####################
@@ -26,6 +48,14 @@ variable "dynamodb_region" {
   type = string
 }
 
+variable "dynamodb_table_aliases_arn" {
+  type = string
+}
+
+variable "dynamodb_table_aliases_name" {
+  type = string
+}
+
 variable "dynamodb_table_deployments_arn" {
   type = string
 }